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[57] ABSTRACT 

A protection system for a computer is provided. This system 
is essentially based on the provision of an EEPROM (20) of 
unstandard access and containing configuration data of the 
computer as well as a password. At power-on, the contents 
of the EEPROM except eventually the password, are copied 
into a CMOS memory (16) which must conventionally be 
present in the computer. The invention eventually provides 
additional circuitry for irreversibly cutting the access to the 
EEPROM and specified peripheric devices. 

4 Claims, 2 Drawing Sheets 
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APPRATUS FOR PREVENTING CHANGES 
OF COMPUTER CONFIGURATION DATA BY 
UNAUTHORIZED USERS 

This application is a continuation of application Set. No. 
08/264.840 filed Jun. 23, 1994 now U.S. Pat. No. 5535409. 
which in turn is a continuation of application Ser. No. 
07/868.499 filed Apr. 15. 1992 abandoned. 

BACKGROUND OF THE INVENTION 

The present invention relates to the protection of a com- 
puter and in particular to the protection of confidential data 
stored in memory. 

FIG. 1 very schematically shows a conventional computer 
architecture. It includes a central processing unit (CPU) 10 
connected to a terminal 11 comprising a screen and a 
keyboard; to volatile central random access memory (RAM) 
12; to a non-volatile read only memory (ROM) 13; to a mass 
storage device 14, such as a hard disk or a floppy disk; to 
groups of peripheric devices PI and P2. such as printers, 
other disks, etc.; and to a volatile battery powered CMOS 
memory 16 where configuration data defined by the operator 
are stored. The configuration data comprise information for 
adapting and adjusting, or "configure", the computer as a 
function of initial options desired by the operator and 
especially, so that the computer can correctly use its periph- 
eric devices* such as the screen, the keyboard, the hard disk, 
etc. 

Nowadays, certain computers are inoperable by a person 
oot knowing a password at power-on of the computer. 
Indeed, at power-on and before the computer can be used, a 
password is asked. However, such a computer is vulnerable 
when it is on and the password has been entered. 

More sophisticated computers, such as models 286N and 
386N manufactured by the firm Compaq, offer security 
functions. Among the configuration data there are a pass- 
word and access prohibitions to a group of peripheric 
devices, for example PI. wherein the prohibitions cannot be 
raised, theoretically, unless the password is known. For 
example, access can be prohibited to a hard disk of a 
computer which stays on unwatched in order to prevent an 
unauthorized person form accessing the data stored on the 
disk. 

To enhance the security, for reasons which will be dis- 
cussed later, the password is stored in an area of the CMOS 
memory 16. the access of which can be irreversibly cut 
while the computer is on. The access to the other configu- 
ration data must not be cut because the operating system of 
the computer must be able to use them. The operation of 
such a computer is as follows. 

At power-on of the computer (cold boot), the computer 
must perform a certain number of operations before the 
operator can use it These operations are generally the 
following. 

a) A Power-On Self Test program (POST), which is 
permanently stored In ROM 13. is executed by the CPU 10. 
This program reads the configuration data in CMOS 
memory 16. these data including the password and the 
access pro itions. then asks the operator to provide a 
password and continues its execution if the password is 
good. 

b) The POST configures the computer, adjusts the periph- 
eric devices and cuts the accesses to the prohibited periph- 
eric devices, for example group PI. 

c) During the execution of the POST, the operator can 
choose to modify the configuration. This choice is generally 
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achieved by hitting a key before the end of a predetermined 
time interval. In this case, the POST executes a configuration 
pros-gram, usually called SETUP, stored in ROM. As p 
SETUP is executed, the operator can see on the screen the 

5 actual configuration stored in the CMOS memory, and 
propose modifications. The configuration is then modified in 
the CMDS memory. To validate the new configuration, 
operation b) must be resumed, which can only be done, in 
general, by rebooting the computer. 

io d) Before ternainating. the POST cuts the access to the 
password stored in the CMOS memory and loads into the 
central memory 12 an operating system stored on the mass 
storage device 14. The operating system is a program which 
uses the configuration data stored in the CMOS memory, 

is manages the computer and allows the operator to exploit the 
computer in a simple way. 

When the mass storage device 14 is a hard disk containing 
the operating system permanently, in practice, the operator 
also has the possibility to use an operating system stored on 

20 a floppy disk. Therefore, a floppy disk drive is provided in 
which the operator inserts the floppy disk and, when the 
Computer is rebooted, the POST will first attempt to load the 
operating system from this floppy disk. It will be considered 
hereafter that the computers have a hard disk as mass storage 

25 device 14 to which a floppy disk can be substituted and 
wherein the loading of the operating system is first 
attempted from a floppy disk. 

To reboot the computer it is also possible to do a warm 
boot. i.e. a reset of the computer while its power is still on. 
In unprotected computers, this has the same effect as a cold 
boot, except that it is faster. 

A drawback of known computers is that the CMOS 
memory 16 is easily accessed. The access to this memory is 

35 standard so that it is compatible with all available operating 
systems. Thus, a hacker having some technical knowledge, 
knows how to modify the accessible content of the CMOS 
memory by using, for example, a debugger program gener- 
ally available with the operating system, which allows data 

^ to be written and read data in memory areas, especially in the 
CMOS memory. The hacker is also able to reboot on a 
floppy disk containing a program which is executed auto- 
matically and can, for example, modify the contents of the 
CMOS memory in a short time. 

45 In the above mentioned 286N and 3S6N computer 
models, during a warm boot, the access to the password in 
the CMOS memory is not reestablished and the password 
cannot be used by the POST. During such a boot, the POST 
must still be executed to configure the computer. Thus, since 

50 the POST does not then block the use of the computer by a 
password, a hacker can do a warm boot on a floppy disk in 
a disk drive to which the access was not cut. Although the 
hacker cannot then access the password, he can cancel the 
access prohibitions and modify the configuration. 

55 A floppy disk boot can be prohibited, but this is usually 
done by software which a competent hacker can bypass. 

Moreover, erroneous instructions in a program can acci- 
dentally modify the contents of the CMOS memory. 
The CMOS memory 16 is usually a battery powered 

60 volatile memory for various technical reasons; especially, 
this memory is associated to a real time clock. Thus, at the 
end of the life of the battery (about 5 years) the content of 
the CMOS memory will vanish. 

65 SUMMARY OF THE INVENTION 

An object of the invention is to provide a computer in 
which the storage life of the configuration data is unlimited. 
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Another object of the invention is to provide a computer 
protection system which is more difficult to bypass by a 
hacker. 

Another object of the invention is to provide a computer 
protection system which cannot be bypassed by a person not 
knowing a password. 

These objects are attained by a computer comprising: a 
volatile memory which is standardly provided for storing 
computer configuration data at least partially user defined, 
this volatile memory having a standard access mode; a 
non-volatile reprogrammable memory associated to pro- 
gramming means, this non-volatile memory having a dif- 
ferent access mode than die volatile memory and storing 
said computer configuration data and user defined confiden- 
tial data; and a central processing unit (CPU) operative to 
access both memories for. at power-on of the computer, 
updating the configuration data in the volatile memory with 
the configuration data of the non-volatile memory. 

According to an embodiment of the invention, the com- 
puter comprises switch means operated, between the 
moment when the configuration data is updated in the 
volatile memory and the next power-on of the computer, for 
cutting the accesses of the computer to the non-volatile 
memory and to peripheric devices determined by the user 
defined configuration data. 

According to an embodiment of the invention, the com- 
puter comprises a second volatile memory only accessible 
through a verifying circuit in which are provided: m for 
communicating with the CPU; means for writing in the 
second volatile memory, at power-on, a password included 
in the user defined confidential data; and a comparator for 
comparing a password, to be provided by the user through 
the CPU, to the password stored in the second volatile 
memory and for operating the switch means to reestablish 
the cut accesses if the result of the comparison is good 

According to an embodiment of the invention, the com- 
puter comprises a flip-flop closing the switch when it is at an 
active state, this active state being set by a power-on reset 
circuit and the inactive state being set through the CPU. 

According to an embodiment of the invention, the com- 
puter comprises a flip-flop closing the switch means when it 
is at an active state, mis active state being set by the 
verifying circuit and the inactive state being set through the 
CPU. 

According to an embodiment of the invention, the veri- 
fying circuit and the second volatile memory are imple- 
mented in an available microcontroller of the computer. 

The present invention provides a protection method for a 
computer including a volatile memory standardly provided 
for storing configuration data at least partially user defined. 
The method comprises the steps of: a) updating the volatile 
memory with configuration data stored in a non-volatile 
reprogrammable memory having a different access mode 
than the volatile memory; and b) comparing a password to 
be provided by a user to a password stored in the non- 
volatile memory and continuing if the passwords are equal. 

According to an embodiment of the invention, the method 
comprises the additional steps of: c) adjusting the configu- 
ration of the computer according to the configuration data 
stored in the non-volatile memory; and d) if the user carries 
out a specific action, writing new configuration data pro- 
vided by the user in the non-volatile memory. 

According to an embodiment of the invention, the method 
comprises the additional step of cutting the accesses of the 
computer to the non-volatile memory and to peripheric 
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devices defined by the user in the configuration data, the cut 
accesses only being reestablished at power-on. 

According to an embodiment of the invention, at power 
on, the password stored in the non- volatile m is written in a 

5 second volatile memory 20 only accessible through a veri- 
fying circuit, this circuit carrying out, upon a warm boot or 
a specific action of the user, the steps of: comparing the 
password to be provided by the user to the password stored 
in the second volatile memory; and reestablishing the cut 

io accesses if the result of the comparison is good so that a 
modification by the user of the contents of the non-volatile 
memory is possible. The reestablished accesses are cut again 
once the password has been provided and. when necessary, 
the contents of the non-volatile memory have been modified 

is by the user. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing and other objects, features and advantages 
will be described n more detail in the following description 
20 by referring to the accompanying drawings among which: 

FIG. 1, previously described, very schematically repre- 
sents a conventional computer architecture; and 

FIGS. 2 to 4 schematically represent computer architec- 
tures according to embodiments of the invention. 

25 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

In FIG. 2. the same elements as in FIG. 1 are shown, 
designated by the same reference numbers. According to the 

30 invention, the computer comprises a non volatile electrically 
erasable and programmable read only memory (EEPRCM) 
20 connected to the CPU 11, this memory being associated 
to an erasing and programming circuit 22. CMOS memory 
16 need no longer be battery 

35 In the EEPRCM are stored the configuration data includ- 
ing a password and access prohibitions to peripheric devices 
PI. Memories EEPRCM 20 and CMOS 16 are used in the 
following manner according to the invention. 

At boot time, a suitable POST program is executed. It 
reads the data in the EEFROM memory and transfers them, 
except for the password, into the CMOS memory. It asks for 
the password and continues its execution in a conventional 
manner if the provided password is good. 

45 The operator can conventionally invoke a suitable SETUP 
program stored in ROM. The configuration data modifica- 
tions proposed by the operator are then written into the 
EEPROM 20. The remaining operations are conventional. 
A second suitable SETUP program on disk can also be 

X) invoked to modify the configuration. This SETUP program 
will ask for the password stored in the EEPROM memory 
and will carry out the modifications in the CMOS memory 
if the provided password is good. 
Thus, at each boot, the configuration data stored in the 

55 EEPROM will be overwritten in the CMOS memory. This 
CMOS memory 16 is in fact only kept for compatibility 
reasons as the operating systems must be able to use it 

As it was previously mentioned, the access to the CMOS 
memory is standard. This access is generally achieved by 

60 writing an address in a first specific register, the data, 
comprised of words of a given number of bits, being read or 
written word by word in a second specific register. The 
addresses of these first and second specific registers are 
standard. It is thus easy to read or write in this memory 

65 without passing by the SETUP pro-gram. 

The EEFROM is not submitted to compatibility require- 
ments and its access is voluntarily rendered mare complex. 
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For example, the EEPROM can be chosen with a serial 
access, i.e. each data word is read or written bit by bit in the 
EEPROM. 

Thus, the probability for a program to accidentally write 
data in this EEPROM is low and a hacker is submitted to the 
two following difficulties: on the first hand, it will be difficult 
for him to detect the presence of the EEPROM because he 
will be able to access, although without consequence, the 
CMOS memory which will appear to him as containing the 
data which interest him. and on the other hand, if he detects 
the presence of the EEPROM, it will be very difficult for him 
to find how to access it because the access to this memory 
is not standard and it will not be communicated to the public 
how it can be achieved. 

However, as the EEPROM is theoretically accessible by 
an operator and. as the security functions, which are gener- 
ally achieved by software, can be bypassed by a competent 
hacker, it is provided in another embodiment of the inven- 
tion show in FIG. 3 to avoid mis. 

In FIG. 3, the same elements as in FIG. 2 are shown, 
designated by the same reference numbers. The access to the 
EEPROM 20 and to the peripheric devices PI determined by 
the operator, can be irreversibly cut by switches 30 
controlled, for example, by an RS flip-flop 31 itself con- 
trolled via the CPU 10. Switches 30 can be placed upon 
chip-select lines of the EEPROM memory and of the periph- 
eric devices. The operation of this system is as follows. 

During a cold boot, a powcr-on reset circuit generally 
included in the computer, provides a pulse intended to reset 
various circuits of the computer, the state of which is 
uncertain. This pulse is also provided to the reset input R of 
flip-flop 31. which causes all switches 30 to be closed. 

The POST is executed as described for FIG. 2, that is, it 
reads the contents of EEPROM 20 and transfers them, 
except for the password, to the CMOS memory 16. The 
password is verified and the POST continues conventionally 
if the password is good. 

The operator can invoke the SETUP program stored in 
ROM 13 to modify in the EEPROM the configuration data 
and access prohibitions to peripheric devices. 

The POST continues and before loading the operating 
system, it causes the CPU 10 to send a pulse on the set input 
S of flip-flop 31 which opens switches 30 and cuts the access 
to the EEPROM and to the peripheric devices PI determined 
by the data initially contained in the EEPROM. 

Whatever the hacker might do, it is impossible for him to 
access the EEPROM and the prohibited peripheric devices. 
Indeed, the switches 30 prohibiting this access can only be 
closed by the above mentioned power-on reset circuit on a 
cold boot which is when the password must be provided. 

During a warm boot of such a computer, switches 30 
remain open, still cutting the access to the data in the 
especially to the password. These data can therefore not be 
used by the POST which, during such a boot, must however 
be executed to readjust the reversible configuration, i.e. the 
configuration which is not affected by switches 30. Without 
asking for a pass-word, the POST will adjust the reversible 
configuration from the data stored in the memory, whereas 
the contents of the CMOS memory could have been modi- 
fied by a hacker or a defect program. Moreover, as the POST 
does not block the use of the computer by a password, a 
hacker will be able to do a warm boot on a floppy disk in a 
disk drive to which the access has not been prohibited. 

Furthermore, if the operator wants to reconfigure his 
computer, he must necessarily reestablish the access to the 
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EEPROM, i.e. he must switch the computer off and back on. 
which is tedious. 

FIG. 4 shows an embodiment of the invention over- 
coming the above drawbacks. The same elements as in FIG. 
5 3 are shown, designated by the same reference numbers. The 
reset input R of flip-flop 31 is here controlled by a password 
verifying circuit 40. The operation of this system is as 
follows. 

At power-on, the verifying circuit 40 sends a pulse to the 

io reset input R of flip-flop 31 which closes switches 30. A 
suitable POST program starts, reads the contents of the 
EEPROM 20 and writes them, except for the password, in 
the CMOS memory 16. 
The POST asks the operator to provide a password and 

15 continues if the password is good. The password contained 
in the EEPROM is copied in a memory 42 of the verifying 
circuit 40. This memory 42 is such that it can only be written 
once at power-on. This is, for example, achieved by an 
access attempt counter (non represented) which is reset at 

20 power-on. The POST continues conventionally. 

The operator can invoke the SETUP program stored in 
ROM as previously and update the EEPROM with new 
configuration data. 
The POST continues and, before loading the operating 

25 system, causes the CPU to send a pulse to the set input S of 
flip-flop 31 which opens switches 30 of the EEPROM and 
the selected peripheric devices PI. 

On a warm boot, the POST attempts to read in the 

M EEPROM and detects that the latter does not answer. The 
POST still asks for the password and communicates it via 
the CPU, to the verifying circuit 40 which compares it to the 
password stored in its memory 42. The verifying circuit 
transmits the result of the comparison to the CPU to allow 

35 the POST to continue if the right password is provided. If the 
right password is provided, the verifying circuit 40 sends a 
pulse to the reset input R of flip-flop 31 which closes 
switches 30. The continuation of the PSCT is authorized and 
the operator can invoke the SETUP program stored in ROM 

^ to modify the contents of the EEPROM. The POST causes 
the switches 30 to open before loading the operating system, 
as described for FIG. 3. 

The operator will also be able, when the computer is on, 
to invoke a second suitable SETUP program stored on disk. 

4J which will ask for the password and will transmit it to the 
verifying circuit 40 via the CPU 10. In this case too, if the 
right password is provided, the verifying circuit will close 
switches 30 and will allow the operator to modify the data 
in the EEPROM. This second SETUP program is, like the 

^ POST, such that it causes switches 30 to reopen before 
terminating. 

Thus, such a system is practical for the operator which can 
at any time change the configuration but is invulnerable to 
a hacker which does not know the password. Indeed, the 
55 hacker must provide the password at cold or warm boot and. 
if he finds the computer on. he will nor be able to access the 
EEPROM. nor the prohibited peripheric devices. Moreover, 
the fact that it is only possible to write in memory 42 of the 
verifying circuit 40 at power-on. cancels the theoretical 
00 possibility mat a hacker has to modify the contents of 
memory 42 by deleting the password or overwriting it by 
another password 

As it can be noted in the above description, the functions 
to be achieved by the verifying circuit 40 are the following: 
65 receiving passwords from the CPU; 

writing the first received password since power-on in 
memory 42 and cancelling any subsequent attempt to 
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read or write in memory 42, at least at the location of 
the password; 

closing switches 30 (by sending a pulse to the reset input 
R of flip-flop 31) at power-on and upon receiving a 
subsequent password equal to the one stored in memory 5 
42; and 

transmitting the equality or non-equality of the passwords 
to the CPU. 

These functions can easily be achieved by those skilled in 
the art with logic gates, comparators and flip-flops. It is 10 
particularly easy to achieve them with a suitably pro- 
grammed microcontroller including its own memory. Pref- 
erably the microcontroller is already provided in the 
computer, such as the keyboard controller. The microcon- 
troller is then already implemented for communicating with ^ 
the CPU and its program only needs simple modifications to 
achieve the above functions. Connection pins of the micro- 
controller are usually available, one of them can thus be used 
for controlling the reset input R of flip-flop 31. 

The pulses to be sent to the set input S of flip-flop 31. to 
open switches 30 upon request by the CPU. can easily be 2° 
achieved by providing in the computer a latch, the output of 
which is connected to the set input of the flip-flop. The latch 
is then write-selectable by an address decoder responding to 
an unused peripheric device address (also called input/ 
output address). To generate a pulse, the CPU will succes- 23 
sively write a 1 and a 0 in the latch. This pulse could also be 
generated by the above microcontroller. 

Those skilled in the art will be able to write the suitable 
POST, SETUP and microcontroller programs in order to 
achieve the described functions. 30 

Switches 30 can be achieved by logic gates. Flip-flop 31 
has been described as an RS flip-flop, but those skilled in the 
art will be able to choose any equivalent circuit 

We claim: 

1. A computer comprising: 35 
a first memory of a type which is conventionally provided 
for storing computer configuration data including user- 
defined configuration data; 
a non-volatile second memory; 

a programmer for reprogramming the n on- volatile second 40 
memory* the second memory storing said computer 
configuration data and user-defined confidential data; 
and 
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a central processing unit coupled with the first and second 
memories and the programmer the first memory being 
accessible by the central processing unit in a standard 
memory-access manner and the second memory being 
accessible by the central processing unit in a memory- 
access manner different from the standard memory- 
access manner of the first memory, the central process- 
ing unit being operative during power on of the 
computer to copy into the first memory the computer 
configuration data but not the user-defined confidential 
data stored in the non-volatile second memory, the 
computer configuration data adjusting the computer 
configuration so the computer is correctly coupled with 
its peripheral devices. 

2. The computer of claim 1, further comprising a switch 
arrangement coupled with the central processing unit and the 
non-volatile second memory for normally enabling access 
between the central processing unit and the non-volatile 
second memory, the switch arrangement being operative 
following copying of the configuration data from the second 
memory Into the first memory for cutting access of the 
central processing unit to the non-volatile second memory 
and to peripheral devices specified by the user-defined 
configuration data. 

3. The computer of claim 2. wherein the user-defined 
confidential data form a password, the computer having at 
least one input device and a reprogrammer of the second 
memory, the reprogrammer activating the programmer only 
following input through the at least one input device of the 
same password as is stared in said second memory as the 
user-defined confidential data. 

4. The computer of claim 1. wherein the user-defined 
confidential data form a password, the computer having at 
least one input device and a reprogrammer of the second 
memory, the reprogrammer activating the programmer only 
following input through the at least one input device of the 
same password as is stored in said second memory as the 
user-defined confidential data. 

* * * * * 
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